keychain – Commands run in the terminal seem unable to access SSL issuer certificates

Spread the love


Advertisement

A few weeks ago, I suddenly became unable to download PNPM packages, receiving the following warning for all the packages I attempted to download:

Advertisements

GET https://registry.npmjs.org/<package> error (UNABLE_TO_GET_ISSUER_CERT_LOCALLY). Will retry in 10 seconds. 2 retries left.

After two retries, they eventually all failed. I initially thought this was a PNPM bug, as visiting https://registry.npmjs.org in Safari worked and showed a valid root certificate. However, running Python scripts that use urllib now fails with this error:

urllib.error.URLError: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:997)

This leads me to believe that the problem is system-level, since it is occurring in multiple completely different environments. The issue also affects terminals launched in 3rd-party apps, such as VSCode, but doesn't seem to affect other parts of those apps, or indeed any other apps at all.
The solutions I've found online are mostly specific to a single tool (PNPM, urllib, etc), and involve disabling or working around SSL instead of actually solving the problem, which I don't want to do because of the security implications.

What I've Tried

  • Reinstalling macOS (without erasing it).
  • Checking my root certificates in Keychain Access (all are valid and none have expired).
  • Ensuring that I am not behind a proxy (to my knowledge)
  • Giving Terminal full disk access in case it's somehow being denied read access to the certificates

Specifications

M1 MacBook Air running macOS Monterey 12.5.1

Author: Subham

Leave a Reply

Your email address will not be published. Required fields are marked *